RE: [Gen-art] Gen-ART review of draft-huston-6to4-reverse-dns-07.txt
Black_David@emc.com Wed, 18 July 2007 13:02 UTC
Return-path: <gen-art-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IB9AY-00068A-E1; Wed, 18 Jul 2007 09:02:18 -0400
Received: from gen-art by megatron.ietf.org with local (Exim 4.43) id 1IB9AI-00065i-Vl for gen-art-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 09:02:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IB9AI-00065T-Ay for gen-art@ietf.org; Wed, 18 Jul 2007 09:02:02 -0400
Received: from mexforward.lss.emc.com ([128.222.32.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IB9AH-000050-Pn for gen-art@ietf.org; Wed, 18 Jul 2007 09:02:02 -0400
Received: from mailhub.lss.emc.com (nirah.lss.emc.com [10.254.144.13]) by mexforward.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id l6ID1sUP016451; Wed, 18 Jul 2007 09:01:54 -0400 (EDT)
Received: from corpussmtp3.corp.emc.com (corpussmtp3.corp.emc.com [10.254.64.53]) by mailhub.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id l6ID1I9t006881; Wed, 18 Jul 2007 09:01:51 -0400 (EDT)
From: Black_David@emc.com
Received: from CORPUSMX20A.corp.emc.com ([128.221.62.12]) by corpussmtp3.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 18 Jul 2007 09:01:24 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Gen-art] Gen-ART review of draft-huston-6to4-reverse-dns-07.txt
Date: Wed, 18 Jul 2007 09:01:23 -0400
Message-ID: <F222151D3323874393F83102D614E0550A4D233B@CORPUSMX20A.corp.emc.com>
In-Reply-To: <469DC50E.4060302@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Gen-art] Gen-ART review of draft-huston-6to4-reverse-dns-07.txt
Thread-Index: AcfJD6JH3iRBT7POSR2cTv1/EqDLAQAK0iAw
References: <F222151D3323874393F83102D614E0550A4D2322@CORPUSMX20A.corp.emc.com> <469DC50E.4060302@gmail.com>
To: brian.e.carpenter@gmail.com
X-OriginalArrivalTime: 18 Jul 2007 13:01:24.0543 (UTC) FILETIME=[BED804F0:01C7C93B]
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.5.1.298604, Antispam-Data: 2007.7.6.21134
X-PerlMx-Spam: Gauge=, SPAM=1%, Reason='EMC_FROM_0+ -3, NO_REAL_NAME 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __IMS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __PHISH_PHRASE3 0, __SANE_MSGID 0'
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: pk@DENIC.DE, rbonica@juniper.net, gen-art@ietf.org, gih@apnic.net, Black_David@emc.com
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
While I'd like to see some consideration of prefix-based control, a security considerations discussion of access limitation via an IPv6 firewall is ok (but it *needs* text in the security considerations section), and Brian's proposed "SHOULD NOT" for the use of dynamic IPv4 addresses for 6to4 sites with reverse DNS delegation is fine - that should be sufficient warning for the surprise that a DHCP reassignment may cause inheritance of someone else's remote DNS delegation (if this happens, it was a consequence of ignoring the "SHOULD NOT"). Thanks, --David > On 2007-07-17 20:06, Black_David@emc.com wrote: > ... > > The draft is in generally good shape, but I think the first > > two potential issues noted in Section 4 Delegation Administration > > need further attention: > > > > o Clients inside a 6to4 site could alter the delegation details > > without the knowledge of the site administrator. It is noted that > > this is intended for small-scale sites. Where there are potential > > issues of unauthorized access to this delegation function the > > local site administrator could take appropriate access control > > measures. > > > > Independent of intent, this will get used for larger scale sites. > > Some form of prefix control exercisable by the site administrator > > would be a good idea. This may not be possible in all cases as > > details of provider address allocation aren't always available > > beyond the address block allocated by the registry, but the topic > > needs some more thought. Failing that, this is a v6 firewall > > configuration issue, and the need for a firewall to support this > > for administratively-controlled multi-address sites should be > > called out in the Security Considerations section. > > It doesn't seem hard - it means that access to https://6to4.nro.net > has to be controlled, and there are many firewalls intrusive > enough to do that. > > > > > o IPv4 DHCP-based 6to4 sites, or any 6to4 site that uses > > dynamically-assigned external IPv4 interface addresses, could > > inherit nonsense reverse entries created by previous users of the > > dynamically assigned address. In this case the client site could > > request delegation of the reverse zone as required. > > > > This is an invitation to serious problems. There ought to be a > > way in the service to add a delegation expiration time when a > > delegation is requested (e.g., a slightly smart piece of client > > software could then put in the DHCP lease expiration time and > > update the delegation when renewing the DHCP lease). Inheriting > > someone else's reverse DNS delegation because DHCP re-allocated > > the IP address is not what I would consider expected behavior. > > > > No, but the combination of 6to4 in site mode with a single > dynamically assigned IPv4 address for a whole site seems a little > outside the parameters 6to4 was designed for. Remember that a 6to4 > site also has to establish an ongoing relationship with a 6to4 relay > router. I don't think a model where all that has to be re-done > after a power cut or an ISP glitch is very plausible. Rather than > adding a lifetime mechanism, why need make this a SHOULD NOT? > (i.e. If reverse delegation is needed the site SHOULD NOT use > a non-fixed IPv4ADDR for 6to4.) > > Brian > > > _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-ART review of draft-huston-6to4-rev… Black_David
- Re: [Gen-art] Gen-ART review of draft-huston-6to4… Brian E Carpenter
- RE: [Gen-art] Gen-ART review of draft-huston-6to4… Black_David